Loading...
Loading...
Build the ISMS policy stack that survives ISO 27001 Stage 2 audit and BNM RMiT examination — apex Information Security Policy, 35+ topic policies, and the supporting procedures that translate them into operations.
Auditors do not assess what you do — they assess the gap between what your policies say you do and what your evidence shows you actually do. A clean policy stack is the foundation of every defensible audit response. It is also the artefact most often used by the senior leadership to set behavioural expectations across the organisation, by HR to ground disciplinary action, by procurement to flow control requirements to vendors, and by the security team to anchor every operational decision.
For Malaysian organisations targeting ISO 27001 certification, BNM RMiT alignment, NACSA Cyber Security Act 2024 readiness, or PDPA 2024 compliance — the policy stack is a non-negotiable foundation. Building it badly costs years of remediation. Building it well takes 8-12 weeks of focused effort.
We follow a four-layer hierarchy. Each layer answers a different question, has a different audience, and is approved at a different governance level.
Sets executive intent. One short document (typically 4-8 pages), signed by the CEO or board, anchoring all downstream policies. Reviewed annually by the management review meeting.
30-40 documents covering each major control domain. Set the ‘what’ and the ‘why’ for each topic — acceptable use, access control, incident response, encryption, etc. Approved by domain owner under delegated authority.
Step-by-step operational instructions. Set the ‘how’. Authored by operational owner. Reviewed when the underlying technology or process changes.
Technical configuration baselines (password length, TLS version, patch SLA). Set the measurable bar. Updated as the threat landscape evolves.
The standard ISMS policy stack covers the full ISO 27001:2022 Annex A control set, organised by theme. Each policy is mapped to the Annex A control(s) it addresses and to any applicable BNM RMiT, PDPA 2024 or NACSA driver.
Each draft policy goes through structured governance review: technical sign-off by the control owner, peer review by a second nominated reviewer, GRC review for alignment to standards, legal review for any regulatory or contractual implication, and final approval by the designated approver under the policy approval RACI.
We facilitate the entire review cycle — track changes, comment resolution, version history — and deliver each policy in a finalised, ratified state with an audit trail of approvals.
The apex Information Security Policy and the next-tier critical policies (Incident Response, BCP, Privacy) require formal management ratification under ISO 27001 clause 5.2. We prepare the management ratification pack — covering note, changes-since-prior-version summary, alignment-to-business-strategy statement — and facilitate the ratification meeting.
Output is a signed policy register with executive ratification dates — the document examiners and auditors ask for first.
Template packs fail audits. ISO 27001 Stage 2 auditors and BNM examiners read policies for evidence they reflect your actual organisation — your actual technology stack, actual roles, actual risk tolerance, actual control implementations. Templates carry generic language that contradicts the operating reality, which is itself an audit finding. The policies have to be authored for your context.
A defensible ISMS policy stack for a mid-sized Malaysian organisation typically contains one apex Information Security Policy, 30-40 topic policies (acceptable use, access control, encryption, incident response, vendor management, etc.), and 50-100 supporting procedures and standards. Smaller organisations need fewer; regulated FIs and NCII operators need more.
ISO 27001 clause 5.2 requires top management to approve the apex Information Security Policy. Topic policies are typically approved by the head of the relevant function (CIO for IT policies, COO for operational policies, CHRO for people policies) under delegated authority. Procedures and standards are approved by the operational owner. The full RACI for policy approval is part of our policy framework deliverable.
Annual review of every policy is the standard expectation under ISO 27001 and BNM RMiT. Higher-risk policies (incident response, BCP, encryption) should be reviewed semi-annually or after material changes. Triggering events — new regulation, major incident, significant technology change, M&A activity — drive interim out-of-cycle review of affected policies.
We do both. Default engagement is direct authoring — our consultants draft, you review and ratify. For organisations building a long-term in-house GRC capability, we run a parallel author-and-coach engagement where your nominated lead authors with our coaching, learning the framework as they go. The second model takes 30-50% longer but builds durable in-house competency.
Scoping calls take 30 minutes. Full ISMS policy stack delivered and ratified in 8-12 weeks.
Get a Policy Sprint Scoping